12/6/2016 0 Comments
Home Depot Data Breach 2014
Recently, my graduate school program posted the question: "In September 2014, Home Depot stated that over 56 million credit cards had been compromised in a five-month cyber-attack on their payment systems...was the Home Depot incident handled correctly? Incorrectly?" (Southern New Hampshire University, 2016)
Reviewing the efficaciousness of the Home Despot Incident Response needs to be evaluated in the context of the time. Why? Monday morning quarterbacking without context threatens to overlook the serious constraints faced by any organization at the time. When criticizing the failure to respond, one must consider the institutional inputs that led to operational inertia. Without that consideration, information security leaders will diminish their trust among the those who most need their help: those organizations that have been hacked. An organization that has been breached faces many potential public relation and legal hurdles; they need some analysis that works with their current limitations to help them fix the problem.
Incidence Response begins with prevention. NIST lists five areas of prevention: Risk Assessments, Host Security, Network Security, Malware Prevention, and User Awareness and Training (Cichonski, Millar, Grance, & Scarfone, 2012).
In many discussions to date, Home Depot has been criticized for having outdated hardware, outdated operating systems, inadequate staffing, lack of planning, lack of endpoint protection, out of date operating systems. Bloombergpublished an article, which has been oft cited on this discussion board but may, in fact, be misleading.
In an article by Bank Info Security, the author points out a couple of points that are relevant. First, the Home Depot antivirus software which can assist in Malware Prevention. According to Schwartz, "Bloomberg describes the version 11 anti-virus software as being 'out of date.' But technically speaking, the anti-virus is still supported by Symantec and receives anti-virus signature updates" (Schwartz, 2014). Further, Schwartz continues to the point:
In the bigger picture, furthermore, the anti-virus software was irrelevant, contends Chester Wisniewski, a senior security advisor at antivirus vendor Sophos. "A smart attacker in a targeted environment will always bypass your anti-virus," he says, and especially if they're trying to take down a retailer the size of Home Depot. "If you're hitting something of that scale, you say, 'Oh they're running Symantec, or McAfee, or Sophos,' and the first thing the bad guy is going to do is download the software for free with a 30-day trial, write a virus that works on it, then hit it. These guys aren't stupid.(Schwartz, 2014)
From personal experience, organizations of Home Depot's size cannot roll out the latest version of anti-virus software whenever it is released. Any new software runs the risk interfering with existing software. Regression testing is needed, change control board need to sign off, rollback strategies in place to ensure thousand of POS systems don't fail at roll out of new antivirus. Also, from my experience, it is often the Security Team that causes the delay, not wanting to go on record and taking responsibility.
Home Depot may or may not have had a Risk Assessments that identified the threats the led to the data breach problems. It seems that they were partially aware of the situation.
In the year before cybercriminals penetrated payment systems of Home Depot stores in the U.S. and Canada, the retailer suffered at least two smaller hacks, according to internal company e-mails and reports. Afterward, Home Depot security contractors urged the company to strengthen its cyber defenses by activating a key, unused feature of its security software that the internal documents say would have added a layer of protection to the retail terminals where customers swipe their cards (Elgin, Riley, & Lawrence, 2014)
Home Depot being notified by contractors that Home Depot needed to strengthen it cyber defenses with specific recommendations as to where and why constitutes ipso facto threat assessment, at least partially. Home Depot not being able to act on this intelligence gives a possible indication that the Incident Response Team structure was lacking. Having two prior incidents and warnings from consultants, any existing incidence response teams didn't seem to have put a preventative in place before the next attack. Although, concerning failure to implement certain recommendations, "it’s not clear that the deactivated safeguard would have stopped it—a person familiar with the investigation says the attack did hit the stores’ registers"(Elgin, Riley, & Lawrence, 2014).
Particular criticism has surrounded Home Depot's lack of endpoint protection. Endpoint protection can assist with Network security but requires strong, experienced governance. EndPoint Security is a double-edged. From NIST:
"The volume of potential signs of incidents is typically high for example, it is not uncommon for an organization to receive thousands or even millions of intrusion detection sensor alerts per day." (Cichonski, Millar, Grance, & Scarfone, 2012)
"Deep, specialized technical knowledge and extensive experience are necessary for proper and efficient analysis of incident related data."
(Cichonski, Millar, Grance, & Scarfone, 2012)
If Home Depot had high turnover, retaining knowledgeable talent would have been difficult at best. Bloomberg noted, "... the security department has struggled with employee turnover and old software for about three years". Adding stress to a limited and possibly under-trained workforce could have exacerbated the problem and improperly implemented Intrusion Protection is an active staff stressor. From NIST: "Incident response work is very stressful, as are the on-call responsibilities of most team members. This combination makes it easy for incident response team members to become overly stressed. Many organizations will also struggle to find willing, available, experienced, and properly skilled people to participate, particularly in 24-hour support" (Cichonski, Millar, Grance, & Scarfone, 2012). Turning on endpoint protection, with the possibility of a large number of false positives may have done nothing to prevent the breach, and may have instead contributed to greater attrition in its ranks of security professions.
I suspect that Network and Host security were in need of improvement, but I am not in possession of network diagrams. Further, there haven't been any articles that explain what configurations were on the POS systems. I have seen a lot of speculation. One document that I am critical of Case Study: The Home Depot Data Breach by Brett Hawkins on several points I won't address. In summary, though, a careful reading of that papers reveals numerous opinions that suggest bias, and few listings of facts. Regardless, Home Depot may have had an extremely poor network and host security, but without details, I can only depend on the opinions of others. And many authors contradict each other here.
It safe to say the Home Depot needed better prevention methods. It would be hard to argue otherwise. Yet, It is not possible from this author to conclude that Home Depot was somehow negligent without more facts. Why? Doesn't the fact that Target had been compromised six months prior the initial breaching event at Home Depot imply it? No, it does not. First, for any organization of Home Depot's size, change rarely happens that quickly. In a 2015 article by Rachel Abrams: Chip Credit Cards Give Retailers Another Grievance Against Banks, it wasn't clear to retailers that new chip credits would solve issues of theft. Second, two years after the U.S White House Office of Personnel Management is now less secure than when the first breach occurred (Russell, 2016). I have not seen any indication that security is worse at Home Depot. In fact, Home Depot has moved quickly to positively address the problems that were discovered, which is documented numerous places. "Last year, Home Depot said it beefed up security introducing EMV chip-and-PIN technology in its U.S. stores along with introducing enhanced encryption in Canadian stores that takes raw payment card information and scrambles it to make it unreadable to unauthorized users" (Spring, 2016). As documented in NIST: 800-61 Computer Security Incident Handling Guide, part of incident responses is learning how to prevent the incident from happening again. Home Depot did that.
Finally, Home Depot protected their shareholders. Protecting shareholders is a legitimate goal for a business and one of many reasons to create a corporation. In that way, I think Home Depot did exceedingly well. Incident Response prepares the organization for upcoming legal challenges, and Home Depot did that as demonstrated by their legal outcome: "Home Depot wants to put this behind them as fast as possible,” said Charles Hoff, data security attorney and CEO of cybersecurity website PCI University. Hoff said, relatively speaking, Home Depot is getting off fairly modestly" (Spring, 2016)
Abrams, R. (2015, November 16). Chip Credit Cards Give Retailers Another Grievance Against Banks. Retrieved November 25, 2016, from http://www.nytimes.com/2015/11/17/business/chip-credit-cards-give-retailers-another-grievance-against-banks.html
Bucher, A. (2016, March 2). Home Depot Data Breach Class Action Settlement. Retrieved November 22, 2016, from https://topclassactions.com/lawsuit-settlements/closed-settlements/334196-home-depot-data-breach-class-action-settlement/
Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). NIST: 800-61 Computer Security Incident Handling Guide. Retrieved November 24, 2016, from Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). NIST: 800-61 Computer Security Incident Handling Guide. Retrieved November 24, 2016, from http://www.bing.com/cr?IG=E4FE14A6D1FF451091A89309093D3FF3&CID=24CCAA2AC7A16539348CA3FDC6906414&rd=1&h=362W40gNTHHfKIo_VS1hgpbGy4Hr00QxMqQ8uy_DPeU&v=1&r=http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf&p=DevEx,5083.1
Elgin, B., Riley, M., & Lawrence, D. (2014, September 14). Home Depot Hacked After Months of Security Warnings ... Retrieved November 24, 2016, from http://www.bing.com/cr?IG=537D0710BF8B4A16A9228B87AD7058D0&CID=1383FE0640FA6BB11495F7DE41CB6A90&rd=1&h=psa8wPmwCEQVIr0-M3uFp2qzd9otrbUoig8MRouzfJ8&v=1&r=http://www.bloomberg.com/news/articles/2014-09-18/home-depot-hacked-after-months-of-security-warnings&p=DevEx,5087.1
Krebs, B. (2014, March 19). Krebs on Security. Retrieved November 22, 2016, from https://krebsonsecurity.com/2014/03/are-credit-monitoring-services-worth-it/
Russell, G. (2016, November 18). Two years after super-hack of US secrets, White House agency getting worse at cyber-defense. Retrieved November 25, 2016, from http://www.foxnews.com/politics/2016/11/18/two-years-after-super-hack-us-secrets-white-house-agency-getting-worse-at-cyber-defense.html
Schwartz, M. J. (2014, September 16). Analysis: Home Depot Breach Details - BankInfoSecurity. Retrieved November 25, 2016, from http://www.bing.com/cr?IG=44329B369743426D8A47F4316E67379A&CID=31489BFD2C5865E1010492252D69648A&rd=1&h=9CvoZWd7AgflUplQv8dVuVAmol4Ekj7_ilvEdPwyZx0&v=1&r=http://www.bankinfosecurity.com/analysis-home-depot-breach-details-a-7323&p=DevEx,5082.1
Spring, T. (2016, March 18). Home Depot Agrees To $19.5 Million Settlement To End 2014 Breach Nightmare. Retrieved November 25, 2016, from https://threatpost.com/home-depot-agrees-to-19-5-million-settlement-to-end-2014-breach-nightmare/116884/
Stafford, L. (2015, October 24). Data breach still a headache for Home Depot. Retrieved November 22, 2016, from http://www.ajc.com/business/data-breach-still-headache-for-home-depot/F2iNdZvPYYS2n50eFv3HjN/
APA formatting by BibMe.org.
Robert Fischer is an Enterprise Cloud Architect working on a Masters Degree in Cyber Security. These posts are adapted from his graduate work. Anne Fischer edits these posts for this blog.